1, Disable bonjour on the DVR server
2. Block access to the DVR port from the client
3. Configure the router to bounce back packets going out from the client to the public IP and public port of the DVR and routing them to the DVR with the source address of the public IP by doing double NAT - SNAT and DNAT in iptables.
Steps 1. and 2. would not be necessary if the client were not second guessing the user decision. and trying always to connect locally.
Maybe there should an option to allow/disallow trying to connect directly and just trust the user when they say stream remotely? Trust the user - Yes/No?